Please, please, please stop using passkeys for encrypting user data

markhahn 80 days ago |

Maybe I'm not getting it. Doesn't the problem start with ever deleting a passkey? That is: how do you ever know you don't need it anymore?

Also, what is the alternative? Just a password that you store in the vault? Seems like deleting those gets you back to the same place (with all the disadvantage of a plain password).

code-e 81 days ago |

What's the difference between keeping a passkey in bitwarden, and just using a password, also in bitwarden?

zetanor 81 days ago | |

Mainly that a service can't refuse passwords from Bitwarden, whereas in a few years you'll find yourself reading an article about how a bank in Luseristan has decided to require that their users sign in using Passkeys stored in an attested authenticator (not Bitwarden) running on an attested device (not any current Linux desktop).

DANmode 81 days ago | |

Your mom uses Bitwarden?

apothegm 82 days ago |

Not to mention the challenges when (gasp!) a single user uses more than one device. Like, yes, some of us have both desktop computers and phones, thanks for asking.

This is why I refuse to let most sites set me up with passkeys. I’m considering making exceptions for the ones that usually get this stuff right (like GitHub).

timmyc123 82 days ago | |

Not sure what you mean. In most cases, passkeys sync across your devices.

throwaway798214 82 days ago | | |

People with all Apple devices do not consist "most" of users

TheCleric 81 days ago | | |

This is the case in other areas though. I keep some of my passkeys in BitWarden and that is cross device/platform as well.

markhahn 80 days ago | | |

that seems like an excellent reason to avoid a buggy platform, as if there weren't other adequate reasons...

pabs3 81 days ago | |

Just add more than one passkey to your account?

apothegm 79 days ago | | |

Only a small subset of sites seem to support that so far.